Security watchers are counting down to a change in how the infamous Conficker (Downadup) worm updates malicious code, due to kick in on Wednesday 1 April. Starting on 1 April, Windows PCs infected by the latest variant of the Conficker worm (Conficker-C) will start attempting to contact a sample of 50,000 pre-programmed …
1st April 2009 12:00
Skynet seed code spread using conficker bot to 2 million machines
Kills AV websites
Bids on ALL DARPA projects
Finishes em ALL
Bored Now !, playing tetris against itself
Maybe it'll just blow a massive e-raspberry and disappear. I'll be booting into Linux on the day, just in case.
It seems strange that nobody can stop it, although they can dissect and monitor it, and nobody has a clue as to who is behind it. A false flag to encourage further internet restrictions?
Digging a little Deeper into the dapper Conficker.
"Microsoft is heading an alliance, the anti-cabal alliance, .."
That made me smile, John, ironically.:-) Do Microsoft recognise that it is their Core Services and Drivers which are badly infected/compromised/effected? Or that it is all Binary Control Systems, whether hardened or not.
""In a financially motivated economy it doesn't make sense to not rent it out or sell it off," he adds. " Has anyone considered it could be a "loaned" on a free lance basis for specific random national attacks ...a sort of rogue mercenary force with no definable affiliation .... a sort hired gun/Hit and Run Program of Fleeting Destruction for Chaos Purges.
And I think it most unlikely that it will do anything obviously spectacular whenever it can be so much more successful, so invisible and unknown a known.
And I suppose the Pentagon have Systems in place to prevent snooping around its Toxic Lead Dumps/Top Level Domains for Source Infection/Stealth Propagation. It is something which DARPA/IARPA would just love to be Pimping, surely, in a Long Game of Naked Shorts?
You forgot one entry:
Realizes that no matter how hard it tries, it always loses. Decides to take over the world instead.
Lets hope the writers don't have a larger world view
And its not in some way linked to the "Stop the City" protests planned for the same date.
Hey, you never know, the writer of conficker might get run over by a bus tomorrow.
(With appropriate apologies to bus drivers. Hmm... maybe apologies is the wrong word or... ooooh shiny!
"...an impending malware attack has sometimes lead to nothing more than a damp squib,"
I ordered the damp squib at dinner last night. It was quite disappointing, I must say.
Geeze I'm old. Heck, I remember when websites would EAT YOUR BALLS.
Better keep it out BUT
... "security software" vendors making scary predictions, scareware roaches trying to slip in, nothing new really... if memory serves, the previous version of the worm was supposed to disrupt half the tarwebs, now a huge noise is created around the next update (there have been, like, 3 such update points already I reckon. Each time we had the "Oh noes we're all gonna die" stuff from Symantec and El Reg, I for one know I am still there.)
Wipe and harden your networks, work on your overflow-dodging strategies, it's going to be time well spent anyway, but please stop with this continuous "run for the hills" hysteria. I mean, look at your title, then read your own article, then check the facts. Wow. Title has nothing to do with the content of the article, which itself is a quite liberal (and drama-like) interpretation of the facts.
"Final countdown to Conficker 'activation' begins", really? I think not. More like "final countdown to some possible connection that -if successful- might result in some modification of the worm's code, which, if successful, might -but most probably won't- add a malicious payload, which, in turn, might lead to the 'activation' of the botnet. We are all going to die on April first, then." It's quite a bit of a stretch, don't you think?
"An analysis of the worm"
That surely breaks the DMCA, send these "security experts" to jail right now!
it will be a dangerous update/payload... haven't had till now a destruction day... and also would permanently mark Conflicker in the AV history pages.
1) Register a slew of target domains (pseudo-random implies the domains can be guessed)
2) Log the IPs of all machines that connect
3) Send those IP logs to the relevant ISP
4) Have them remove/block the offending clients
5) If the ISP does not confirm within 24 hours that all clients are blocked/removed, block all traffic with that ISP
6) When the infected end-user complains, the ISP can recover any costs from them.
I'm no coder, let me get that caveat out there first and foremost.
There are about 5000 domains, right? some are known. Conficker is designed to update via these servers and pass around. Am I the only one that has thought about trying to get hold of one of these update server addresses, and putting an 'update' on there that basically disables it?
Thats the thing about autoupdates - its great as long as you're sure you always want the updates available. I personally don't, and that's why windows update is set to 'tell me of new updates' rather than install automagically.
Block all windows machines from out network
If our networks get raped due to this windows worm maybe we should start thinking about preventing windows machines accessing our important networks - i.e the internet.
As sysadmin i'm going to be pissed if my whole day is ruined by some sub prime OS.
EEeeck ! What can be done?
Scary has a humorous point . . .
Bit worrying all this with less than a week to go, but what can be done by the government and internet authorities and our protectors to circument this, plus the unrest that's brewing over the G20 meet ? . . .
As well as stronger global financial security and oversight it appears we need a similarly coordinated international internet oversight and protection arrangement and fast.
This has been argued to death already. Installing or running software on someone's computer without their consent is illegal, no matter what it does or why you're doing it. There is no exemption for 'the public good', as the BBC recently discovered.
Why always with the negative spin?
Why does everybody always assume this will be a negative thing? Maybe the whole thing's been designed by some philanthropist who's decided to fight fire with fire. An anti-virus worm with a "robust" P2P network allowing for near-real-time updates from future threats, perhaps? You heard it here first, and I want my millions of well-deserved theoretical dollars should this come to pass.
I for one welcome our virus-battling, virus-writing overlord(s).
in me cries wonderful, I must get some popcorn.
The IT professional in me shrugs and thinks... At least it might generate me some more work.
The (novice) coder in me thinks... Nice one, some cool features and good ideas but the encryption and obfuscation could be improved;Your code has been reversed.
The (expert) wanker in me thinks... I hope this does not disrupt my access to porn.
The realist inside me just doesn't give a shit. It is not like it's going to have a massive impact on my life.
@anonymous coward (Hmmm...)
1) Um, OK.
2) Also, um ok
3) Now why would you do that?
4) Ah, I see. Really? Harsh.
5) And now you have just done more than the worm could realistically hope to do - essentially shut down huge swathes of t'internet.
6) Ha! You're funny!
Like climate change, bad guys effects are global, hard work needs to be local
I was reading the report http://mtc.sri.com/Conficker/ It's interesting but eye glazing stuff.
Its appendix Appendix 1 Cumulative Census by Country
Am I reading this right at their honeypots they detected the following breakdown of the drones?
IE5=26,525, IE6=7,494,466, IE7=2,988,039, FireFox=893, Opera=150, Safari=166, Netscape=12
So, as a guy who goes out and fixes PC's for a living, I should be getting my clients to use IE6 for repeat business, and anything but IE if I want to be able to sleep at night.
Sigh, no wonder I'm just barely making the bills.
"Geeze I'm old. Heck, I remember when websites would EAT YOUR BALLS."
Same here. I had to get a shot for the clap a decade ago when the 'Love Letter to you' virus hit.
Paris - cos she's been there, done that.
It would be nice if it where that simple, but life rarely is. Apart from being illegal, what happens when a bug in the hypothetical Conficker disabler you speak of accidentally corrupts the Windows system files of half the machines it gets installed on? Do you think a major software vendor would accept responsibility for any losses and own up to illegally downloading their fix onto millions of PCs without the users' consent?
Secondly, if Conficker is as well-written as the security folks tell us it is, then it's not going to accept just any old update. It will only install a new payload if it has been signed in some way by the original authors, much like a typical antivirus program will only install updates it can verify as having come from its parent company.
/Tux and I will be sitting down with our popcorn come April 1 to watch the fireworks (or damp squibs).
Good morning ...
Dr Falken, would you like to play a little game ?
"It's unclear who created or now controls this huge resource."
Could it be the BBC?
well I guess im alone on this
But i really really want this to go MENTAL !!!!!
My trial ends soonish and my speciality is fixin lusers computers
"it said i had a virus and i need to click on this to de-infect... was i not meant to do that "
anon Well common im wanting Computer armageddon
you dont make freinds that way !!
I hope it fries all
the Windoze boxes at work. I'm just going to sit and laugh.
Shall we play a game?
Wouldn't you prefer a nice game of chess?
Please please please...
Be absolutely devastating. I'm nearly out of beer money, computers just done break as reliably as they used to!
@I hope it fries all...
> the windows boxes at work
I'd rather it hit all home machines first. Less impact on the economy, more real benefit.
2k bug is sooo last millennium
*goes and buys some popcorn in readyness for Day Of The Conficker*
This looks like it'll be more exciting than the 2k bug (did anything important actually screw up because it was programmed with a two digit year instead of a 4 digit year?)
Quick Ma'.... to the coal bunker.
The Internet can be accessed from pretty much anywhere right?
The internet is the WORLD's primary medium of long distance communication.
Cornflicker has massive potential to cause a disruption of the worlds communication systems.
An attack on a planets communication systems can only mean one thing.........
Find the source
If the registrars weren't all so goddamn lazy they'd pool a list of who owns those domains, then on April 1st it's just a matter of issuing 50,000 queries and finding which site has the payload. You've got to pay to register a domain? Then follow the money.
And please don't tell me they're still offering those "free 1 week trial of your domain" teasers - if they are then they're just as culpable here as the morons who aren't running virus checking on their PCs.
@Haku re y2k
"(did anything important actually screw up because it was programmed with a two digit year instead of a 4 digit year?)"
Yep it screwed up, but not on a two digit date - my local video library system went beserk about the video that I'd had over the new year break, for minus ten years.
Turns out that the year was always nineteen-ninety-something - so they had a 1 digit year and it went back to 1990
The problem with all this crying wolf is when something really nasty *does* hit (a virus reaches the point where it can't be stopped and it will do a lot of damage, guaranteed) nobody is going to be listening any more.
I much prefer f-secure's take on the matter:
@ Tony Hoyle
"I much prefer f-secure's take on the matter"
Yeah, Sophos made it to my personal "absolute no-no" list of security vendor (on which Symantec was beginning to feel a bit lonely) because of their constant bullshit,especially about Conficker.
Teh conficker is coming teh conficker is coming!!!!!1111!!11111!!!!!oneeleven!!111.
Really, seriously people turn down the fucking hype machine and take a deep breath please. Like I said before watch your systems, patch/disinfect/harden as necessary and get on with business. But the constant proclamations of doom at the hands of conficker is really getting out of hand and potentially distracting people from doing what they can to protect their systems. It really is getting a bit like the boy who cried wolf since it seems every time someone discovers so much as a misplaced period in the code of conficker, then that discovery some how deserves a press release touting how the world is going to come to an end at the hands of this worm (this is particularly true of the twits at Sophos).
I wouldn't be surprised next to find a news story saying that conficker will cause you to become sterile, blind, and grow a third arm while simultaneously killing your dog and causing your mom to mate with the nearest gold fish.